CORS 3.1 update (#17345)

* CORS 3.1 update

* CORS 3.1 update

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* work

* routing debug NuGet package

* routing debug NuGet package

* Apply suggestions from code review

Co-Authored-By: Scott Addie <10702007+scottaddie@users.noreply.github.com>

* Javascript

* Apply suggestions from code review

Co-Authored-By: Scott Addie <10702007+scottaddie@users.noreply.github.com>

* Apply suggestions from code review

Co-Authored-By: Scott Addie <10702007+scottaddie@users.noreply.github.com>

* work

* work

* work

* Apply suggestions from code review

Co-Authored-By: Kirk Larkin <6025110+serpent5@users.noreply.github.com>

* react to feedback

* react to feedback

* react to feedback

* react to feedback

* react to feedback

* react to feedback

* react to feedback

* react to feedback

* Apply suggestions from code review

Co-Authored-By: Kirk Larkin <6025110+serpent5@users.noreply.github.com>

* react to feedback

Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com>
Co-authored-by: Kirk Larkin <6025110+serpent5@users.noreply.github.com>

Author: 3 people

aspnetcore/security/cors.md

@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "dotnet-ef": {
+      "version": "3.1.2",
+      "commands": [
+        "dotnet-ef"
+      ]
+    }
+  }
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/.config/dotnet-tools.json

@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Docs.Samples;
+
+namespace WebAPI.Controllers
+{
+    #region snippet2
+    [Route("api/[controller]")]
+    [ApiController]
+    public class TodoItems1Controller : ControllerBase
+    {
+        // PUT: api/TodoItems1/5
+        [HttpPut("{id}")]
+        public IActionResult PutTodoItem(int id)
+        {
+            if (id < 1)
+            {
+                return Content($"ID = {id}");
+            }
+
+            return ControllerContext.MyDisplayRouteInfo(id);
+        }
+
+        // Delete: api/TodoItems1/5
+        [HttpDelete("{id}")]
+        public IActionResult MyDelete(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+
+        // GET: api/TodoItems1
+        [HttpGet]
+        public IActionResult GetTodoItems() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+        [EnableCors]
+        [HttpGet("{action}")]
+        public IActionResult GetTodoItems2() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+        // Delete: api/TodoItems1/MyDelete2/5
+        [EnableCors]
+        [HttpDelete("{action}/{id}")]
+        public IActionResult MyDelete2(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+    }
+    #endregion
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Controllers/TodoItems1Controller.cs

@@ -0,0 +1,61 @@
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Docs.Samples;
+
+// Used in both the MD file and the RP Test.cshtml
+
+namespace WebAPI.Controllers
+{
+    #region snippet2
+    #region snippet
+    [Route("api/[controller]")]
+    [ApiController]
+    public class TodoItems2Controller : ControllerBase
+    {
+        // OPTIONS: api/TodoItems2/5
+        [HttpOptions("{id}")]
+        public IActionResult PreflightRoute(int id)
+        {
+            return NoContent();
+        }
+
+        // OPTIONS: api/TodoItems2 
+        [HttpOptions]
+        public IActionResult PreflightRoute()
+        {
+            return NoContent();
+        }
+
+        [HttpPut("{id}")]
+        public IActionResult PutTodoItem(int id)
+        {
+            if (id < 1)
+            {
+                return BadRequest();
+            }
+
+            return ControllerContext.MyDisplayRouteInfo(id);
+        }
+        #endregion
+
+        // [EnableCors] // Not needed as OPTIONS path provided
+        [HttpDelete("{id}")]
+        public IActionResult MyDelete(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+
+        [EnableCors]  // Rquired for this path
+        [HttpGet]
+        public IActionResult GetTodoItems() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+        [HttpGet("{action}")]
+        public IActionResult GetTodoItems2() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+        [EnableCors]  // Rquired for this path
+        [HttpDelete("{action}/{id}")]
+        public IActionResult MyDelete2(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+    }
+    #endregion
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Controllers/TodoItems2Controller.cs

@@ -0,0 +1,38 @@
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Mvc;
+
+namespace WebAPI.Controllers
+{
+    #region snippet
+    [Route("api/[controller]")]
+    [ApiController]
+    public class TodoItemsController : ControllerBase
+    {
+        // PUT: api/TodoItems/5
+        [HttpPut("{id}")]
+        public ContentResult PutTodoItem(int id)
+        {
+            if (id < 1)
+            {
+                return Content($"ID = {id}");
+            }
+
+            return Content($"PutTodoItem: ID = {id}");
+        }
+
+        // Delete: api/TodoItems/5
+        [HttpDelete("{id}")]
+        public ContentResult MyDelete(int id)
+        {
+            return Content($"MyDelete: ID = {id}");
+        }
+        #endregion
+
+        // GET: api/TodoItems
+        [HttpGet]
+        public ContentResult GetTodoItems()
+        {
+            return Content("Get TO DO ");
+        }
+    }
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Controllers/TodoItemsController.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Docs.Samples;
+
+namespace WebAPI.Controllers
+{
+    #region snippet
+    [EnableCors("MyPolicy")]
+    [Route("api/[controller]")]
+    [ApiController]
+    public class ValuesController : ControllerBase
+    {
+        // GET api/values
+        [HttpGet]
+        public IActionResult Get() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+        // GET api/values/5
+        [HttpGet("{id}")]
+        public IActionResult Get(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+
+        // PUT api/values/5
+        [HttpPut("{id}")]
+        public IActionResult Put(int id) =>
+            ControllerContext.MyDisplayRouteInfo(id);
+
+
+        // GET: api/values/GetValues2
+        [DisableCors]
+        [HttpGet("{action}")]
+        public IActionResult GetValues2() =>
+            ControllerContext.MyDisplayRouteInfo();
+
+    }
+    #endregion
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Controllers/ValuesController.cs

@@ -0,0 +1,36 @@
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Mvc;
+using System.Collections.Generic;
+
+namespace WebAPI.Controllers
+{
+    #region snippet
+    [Route("api/[controller]")]
+    [ApiController]
+    public class WidgetController : ControllerBase
+    {
+        // GET api/values
+        [EnableCors("AnotherPolicy")]
+        [HttpGet]
+        public ActionResult<IEnumerable<string>> Get()
+        {
+            return new string[] { "green widget", "red widget" };
+        }
+
+        #region snippet2
+        // GET api/values/5
+        [EnableCors("Policy1")]
+        [HttpGet("{id}")]
+        public ActionResult<string> Get(int id)
+        {
+            return id switch
+            {
+                1 => "green widget",
+                2 => "red widget",
+                _ => NotFound(),
+            };
+        }
+        #endregion
+    }
+    #endregion
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Controllers/WidgetController.cs

@@ -0,0 +1,7 @@
+namespace WebAPI
+{
+    public static  class MyGC
+    {
+        public const string  MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
+    }
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/MyGC.cs

@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Configuration;
+
+namespace WebAPI
+{
+    public class HostPageModel : PageModel
+    {
+        public string Host { get; set; }
+
+        public void SetHost(IConfiguration configuration, bool changeOrder=false)
+        {
+            var h1 = "host1";
+            var h3 = "host3";
+            if (changeOrder == true)
+            {
+                h1 = "host3";
+                h3 = "host1";
+            }
+            Host = configuration[h1];
+            var theHost = HttpContext.Request.Host.Value;
+            if (Host.Contains(theHost))
+            {
+                Host = configuration[h3];
+            }
+        }
+    }
+}

aspnetcore/security/cors/3.1sample/Cors/WebAPI/Pages/HostPageModel.cs

@@ -0,0 +1,45 @@
+@page
+@model WebAPI.IndexModel
+@inject Microsoft.Extensions.Configuration.IConfiguration Configuration
+
+
+<div class="text-center">
+    <h1 class="display-4">CORS Test 1</h1>
+    @{
+        var host3 = Configuration["host3"];
+
+        var theHost = HttpContext.Request.Host.Value;
+
+
+        if (!host3.Contains(theHost) && !theHost.Contains("localhost"))
+        {
+            <text>Test from <a href="@host3">@host3</a>  or
+            <a href="https://localhost:5001">https://localhost:5001</a>
+            </text>
+        }
+    }
+</div>
+
+<div>
+    <span id='result'></span>
+</div>
+
+<ul>
+    <li>
+        <input type="button" value="Values"
+               onclick="MyTestCors3( '@Model.Host','/api/values', 'GET')" />
+    </li>
+
+    <li>
+        <input type="button" value="PUT test"
+               onclick="MyTestCors3( '@Model.Host', '/api/values/5', 'PUT')" />
+    </li>
+
+    <li>
+        <input type="button" value="GetValues2 [DisableCors]"
+               onclick="MyTestCors3( '@Model.Host','/api/values/GetValues2', 'GET')" />
+    </li>
+</ul>
+
+<script src="~/js/MyJS.js"></script>
+